Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 190

Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?

Answer options

• A. Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks.
• B. Add a WildFire subscription to activate DoS and zone protection features.
• C. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems.
• D. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.

Correct answer: D

Explanation

The correct answer is D because measuring and monitoring CPU consumption ensures that the firewall is capable of supporting the additional load from DoS and zone protection. Option A is incorrect as creating a zone protection profile is not a prerequisite for enabling these features. Option B is false because a WildFire subscription is not necessary for DoS and zone protection. Option C is incorrect since VM-Series systems do support these features.